Skip to content ↓ | Skip to navigation ↓

After the hack that recently took down Sony’s systems, massive amounts of sensitive employee data was leaked online. Additionally, five films from Sony Pictures Entertainment are now circulating on file sharing networks.

Since the incident, there have been many conflicting reports about the breach as malware samples became available for deeper analysis. There were multiple samples obtained the first of which contained a worm that spreads via SMB. The existence of hardcoded IP addresses and host name mappings also indicated attackers had previous knowledge of the internal network (and also proves it was a targeted attack).

A second sample was also made public, revealing an embedded wiping functionality. Also observed were the hardcoded credentials to access systems, further proving it was a targeted attack against the media conglomerate.

Observing this wiping functionality though, we are reminded of older Wiper attacks with similar malicious actions. The first known wiper-like hacks were the Shamoon attacks on the Saudi Aramco systems on August 15, 2012, that affected more than 30,000 systems, as well as a similar follow-up attack one week later. It wasn’t until August 28 that the systems were operating normally.

The other well-known hack is the Dark Seoul attack on South Korea in March 2013 that wiped out thousands of computers. It was later figured out that the intention was not just to disrupt telecommunications throughout the nation but also steal military secrets.

Let’s see what the facts say. Similarities include:

  1. Just like Shamoon, the Sony wiper (dubbed Destover) uses drivers that are commercially available Raw Disk drivers from EldoS, and are in the dropper’s resource section.
  2. The Shamoon and Dark Seoul wipers overwrote the master boot record of the systems, and research done by Jaime Blasco (AlienVault) shows that the Destover malware also systematically connects to specific servers and wipes its hard drive and master boot record.
  3. A code seems to have been compiled in Korean, just like the Dark Seoul attacks were.
  4. The attackers claiming responsibility in all the cases have no identity or previous history of their own, making it more likely that they are pseudo-names used by the actual hacker group to deflect blame. They all made vague pseudo-political claims and bizarre accusations of criminal misconduct to justify their hacks.

However, it’s important to note that such commonalities in characteristics of large-scale targeted attacks on major corporations would make the action of various completely different groups highly unlikely. Yet at the same time, these similarities don’t provide conclusive evidence of the same perpetrator as the Shamoon or Dark Seoul attacks being responsible for the attack on Sony or even that North Korea was responsible, for that matter.

Coming back to the malware, neither sample was particularly complexapparently, no more than was necessary to be effective. No binary packing, obfuscation of the samples, or anti-debugging techniques were observed.

These attacks are another reminder that organizations need to look ahead in terms of securing their own network infrastructure, as the attack showed previous knowledge of Sony’s architecture, which could have been obtained through social engineering or previous successful attacks. In either case, better awareness to the entire organization, and not just the IP team, is what is necessary to thwart such attacks in the future.

Dhiraj_RajaniAbout the Author: Dhiraj Rajani – “I am a Masters Student in Computer Forensics and Security Management at University of Alabama at Birmingham. I have a Bachelor in Computer Engineering from India. I have 3 years of Software Development and Testing experience at Wipro and Manhattan Associates.

I am currently working on Spam and Phishing research with Gary Warner at the Center for Information Assurance and Joint Forensics Research at UAB.”

Image courtesy of ShutterStock.